Visibility Into SSH and SSL Environments

Web-based SSH Key and SSL Certificate Management

Consolidate, control, manage, monitor, and audit the entire life cycle of SSH (Secure Shell) keys. Gain complete visibility of all SSH keys present
in the organization and achieve centralized control to preempt breaches and compliance issues.

Overview

What is Key Manager Plus?

Key Manager Plus is an SSH key management solution which is web-based, and helps you consolidate, control, manage, monitor, and audit the entire life cycle of SSH (Secure Shell) keys. It provides visibility into the SSH environment and helps administrators take total control of the keys to preempt breaches and compliance issues.

Key Manager Plus ensures complete management of certificate life-cycles for public facing websites by integrating with Let's Encrypt, the open Certificate Authority.

A certificate request to Let's Encrypt is raised following the creation of a private-public key pair. After handling the verification challenges, the procured certificates are deployed onto the respective domain servers directly from the product interface. Key Manager Plus consolidates the certificates and facilitates timely renewal on expiry.

Usually, SSH keys are left unmonitored and unmanaged, making organizations vulnerable to cyber attacks. In the absence of an automated system, getting the list of all the keys in use, finding and restricting access privileges, and ensuring periodic rotation is a herculean task.

ManageEngine Key Manager Plus has been designed to solve these issues.

Features

Discover

When users request access to SSH servers, the common practice in most of the organizations is to create new key pairs. Some organizations even allow the end users to create and handle the keys independently. After creation, the keys are not managed at all. This leads to proliferation of keys, lack of centralized control, and even unauthorized access.

To organize and manage the keys, organizations have to first discover all the SSH keys present in the network and how they are being used. Because an inestimable number of keys may be scattered in various systems in the network, organizations need an automated mechanism to discover, consolidate, and store the keys in a secure, centralized repository.

Key Manager Plus resolves these issues by:

Performing automatic network-based discovery for all SSH keys and servers in your network.

Enumerating the user accounts in the discovered servers.

Importing any unused keys available in the network.

Storing the discovered, imported, and generated SSH keys in a centralized repository.

It then maps the key user relationships, making it easier for administrators to deploy, rotate, or delete the keys, as required, and maintain a complete overview of the SSH network.

With Key Manager Plus, the process of creating and deploying keys is simplified. In fact, the entire process can be completed in a couple of clicks, even for an entirely new SSH setup.

Consolidate and store

The key-based authentication for SSH communication is considered robust, secure, and convenient. However, the biggest problem that arises from this practice is that the list of keys and their access permissions are neither recorded nor maintained in a centralized location. In some organizations, the keys lay scattered in disparate storage media and in many others, the keys are handled haphazardly.

Since the keys, theoretically, have an infinite lifetime and are difficult to search for individually, they're left untouched after deployment. Additionally, deploying, rotating, or deleting keys is easier if they are accessible from a central repository, rather than strewn about in different systems.

Key Manager Plus brings these keys together and stores them in a centralized and secure repository. As a result, it is much easier to access and effectively manage the keys. In addition to facilitating centralized management, Key Manager Plus increases the security of SSH keys by storing them in encrypted form. Strict access control provisions help eliminate unauthorized access. Pictorial representations of key to user relationships and comprehensive audit trails help closely track user activities.

Create and deploy

SSH communication uses key pairs to authenticate users and allow access to SSH servers. In most organizations, the key pair creation is handled manually. After creation, private keys have to be linked with their respective users and the public keys have to be deployed in their target servers. This long and circuitous process makes it difficult for the administrators to manage them. So the key creation, linking, and deployment cycles end up requiring an automated mechanism for efficient execution.

Rotate keys periodically

Key-based authentication of SSH communication relies on SSH key pairs and an additional, optional passphrase. While public keys are deployed on target systems, users hold their private keys and the passphrase. They need to supply the private key and passphrase to access the target system.

Although using unique key pairs for each target system is the best practice, it's fairly common to see a single key pair used on multiple systems. What's worse is the same passphrase is being used with all the keys. If a single key pair is compromised, then technically most of the systems across the organization would be, as well.

Key Manager Plus can be used to automatically rotate the keys and deploy them periodically based on a schedule or any time on demand. It provides a holistic view of the key-user relationship as well as the complete history of individual keys such as the date of creation, the creator, the owner, and the date it was last changed. These best practice approaches bolster data security in addition to ensuring compliance with industry standards and regulations. The keys and accompanying passphrases are also encrypted and saved together in Key Manager Plus. This eliminates the need to enter the passphrase each time the user handles the key.

View key user relationship

SSH communication with key-based authentication entrusts users with private keys to access SSH servers. However, because the keys keep proliferating with the addition of users, finding the owner of each private key becomes difficult.

In addition, administrators have to find out who all is authorized to access a particular server and to do this, they must record and track the trust relationship of user-private key and user-public key deployed on the servers. Sometimes, the same user will have multiple key pairs associated with a single SSH server. Manually tracking this relationship is time-consuming, cumbersome, and even inaccurate. So, an automated tracking system is necessary.

Key Manager Plus helps manage the keys not only by fetching and storing them, but also by giving a holistic view of the key to user relationship across the organization. It maps individual keys with their respective user accounts in the remote server. This process makes it easier to identify and delete the key pairs associated with a user during user deprovisioning. Also, the administrators can review and delete any unused keys available in the network.

Launch direct connection

Normally, to access a remote SSH system, users have to first access the remote access tool or console and then manually supply the private key and the passphrase. That is, they must keep the private key and the passphrase handy and it can be time-consuming if the users need to access multiple servers. Hence, an automated system is necessary to make this process smooth and less cumbersome.

Key Manager Plus helps deal with these issues by automatically delivering keys to their respective user accounts in the target server. It also helps automate the remote connection process, by enabling single-click access to the servers, eliminating the need for manual steps.

Audit and track

Various information security guidelines, including those from the NIST (National Institute of Standards and Technology), recommend that organizations manage their SSH keys and track all access and activities. However, that may be easier said than done.

To manage keys effectively, you need a comprehensive auditing and tracking mechanism. You must track all active and inactive SSH keys in the network. Active keys should be changed periodically and inactive keys should be deleted. To track user actions, organizations must control and regulate access to the keys, identify who has access to what, log all access by users, and record their operations during privileged SSH sessions. When users leave the organization, their keys must be deleted, and their access terminated. Organizations need trails to make sure all these crucial activities are being properly executed.

Key Manager helps establish a sound auditing mechanism around the use of SSH keys. It captures all activities executed in the application as audit trails, including the time and result of the execution, the IP address from which the action was performed, and other details.

Restrict and regulate access

In many organizations, users create and deploy SSH keys without the administrator's knowledge. Because access is neither controlled nor monitored, organizations face information security threats. So, having a central mechanism to regulate and monitor access permissions is crucial.

Ideally, the administrators should create, deploy, and monitor the SSH keys' usage. They must define access permissions based on users' roles and responsibilities and periodically review the information on who has access to what systems. In addition, the organization's IT policy (with respect to access controls) should be enforced. Needless to say, performing all these tasks manually will be time consuming and even error prone. On the other hand, implementing an automated system will simplify and secure the use of SSH keys.

Key Manager Plus centralizes and automates key creation, deployment, and access control. It enforces strong access control measures and prevents access violations. Administrators can terminate access anytime by dissociating the keys from their users. Administrators can also review access controls with the real-time audits and reports that Key Manager Plus generates.

Ensure compliance

With cyber threats increasing by the day, IT organizations need to adhere to stringent security controls prescribed by governments. While ensuring compliance with these regulations, organizations have to face IT audits and demonstrate compliance in the form of reports as well.

SSH Key Management / SSL Certificate Management

When it comes to SSH key management, almost all industry and government regulations - including NIST guidelines, PCI-DSS, SOX, HIPAA, FISMA, GLBA, NERC-CIP, COBIT, and others - mandate the following:

Centralized key management.

SSL Certificate Management

Continuous tracking of trust relationships (users to keys to servers).

Periodically changing keys and enforcing strong passphrases.

Tracking who has access to what systems and maintaining an inventory of keys.

Identifying and deleting unused keys.

Promptly deleting keys when users leave the organization.

Auditing and recording all user activities and maintaining those trails.

Key Manager Plus Documentation

Here you can find Key Manager Plus product documentation, brochures and guides. If you have any questions please feel free to contact us and one of our specialists will address your inquiry as soon as possible.